<html>
<head><meta charset="utf-8"><title>Transmuting betwen references / raw pointers / integers · project-safe-transmute · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/index.html">project-safe-transmute</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html">Transmuting betwen references / raw pointers / integers</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="213661854"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213661854" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213661854">(Oct 17 2020 at 17:31)</a>:</h4>
<p>Will safe-transmute as proposed allow safe code to transmute between references, raw pointers/function pointers, and other non-pointer types? I think we have to tread very carefully here...<br>
<a href="https://github.com/rust-lang/unsafe-code-guidelines/issues/251#issuecomment-710783381">See this discussion</a> for some background, and ctrl-F for "type punning" in <a href="https://people.mpi-sws.org/~jung/twinsem/twinsem.pdf">this paper</a> for all of the details. The upshot is that transmuting (not casting) pointers to integers might be UB, or at least that is sadly the best proposal we have so far for a semantics that actually allows all the optimizations that compilers already perform.</p>



<a name="213664492"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213664492" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Quy Nguyen <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213664492">(Oct 17 2020 at 18:30)</a>:</h4>
<p>Why is it UB to do the load-store optimization? The twin allocation paper suggests it removes a cast, but why exactly is removing the cast unsound if integers contain no provenance?</p>



<a name="213664504"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213664504" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jack Wrenn <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213664504">(Oct 17 2020 at 18:30)</a>:</h4>
<blockquote>
<p>and ctrl-F for "type punning" in this paper</p>
</blockquote>
<p>Well, that was certainly dramatic! <span aria-label="sweat smile" class="emoji emoji-1f605" role="img" title="sweat smile">:sweat_smile:</span></p>
<p>The proposal isn't meant to <em>allow</em> anything, per se, it just provides a type-level predicate (i.e., <code>TransmuteFrom</code>) for <em>asking</em> if a conversion is allowed.</p>
<p>Still, the RFC is full of illustrative examples that I hoped would be uncontroversial, <a href="https://github.com/rust-lang/rfcs/blob/ec9eb45a07477ca7f8438d072854bf8699a2e3bb/text/0000-safer-transmute.md#requirements-on-references">some of which involve references</a>. The gist is that if the <code>Src</code> and <code>Dst</code> types have references occuring at the same offset, you simply ask whether those types are transmutable, plus the extra rules in the aforementioned link. Those rules correspond to when I imagine it'd be safe to call <code>transmute_copy</code> (which consumes a reference). </p>
<p>If those rules fail to describe our understanding of what's well-defined behavior, then they should simply be removed.</p>



<a name="213665765"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213665765" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213665765">(Oct 17 2020 at 18:56)</a>:</h4>
<p><span class="user-mention silent" data-user-id="303115">Quy Nguyen</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/213664492">said</a>:</p>
<blockquote>
<p>Why is it UB to do the load-store optimization? The twin allocation paper suggests it removes a cast, but why exactly is removing the cast unsound if integers contain no provenance?</p>
</blockquote>
<p>the case is one of using an integer-typed point to use pointer-typed data that has provenance</p>



<a name="213665773"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213665773" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213665773">(Oct 17 2020 at 18:56)</a>:</h4>
<p><span class="user-mention" data-user-id="219211">@Jack Wrenn</span> transmuting references to references is fine</p>



<a name="213665777"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213665777" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213665777">(Oct 17 2020 at 18:56)</a>:</h4>
<p>the problem is when data with provenance gets transmuted to data without</p>



<a name="213666239"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213666239" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jack Wrenn <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213666239">(Oct 17 2020 at 19:06)</a>:</h4>
<p>That's welcome news—handling reference-to-int transmutations was seemingly like it would be a bit of a headache to implement in the algo we've been toying with, so I'm happy to hear I might just not even have to worry about it!</p>



<a name="213683978"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213683978" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lokathor <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213683978">(Oct 18 2020 at 02:42)</a>:</h4>
<p>bad news for <code>bytemuck</code> XD</p>



<a name="213684060"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213684060" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lokathor <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213684060">(Oct 18 2020 at 02:45)</a>:</h4>
<p>How severe is this "might be"?</p>



<a name="213697958"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213697958" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213697958">(Oct 18 2020 at 09:28)</a>:</h4>
<p><span class="user-mention silent" data-user-id="224471">Lokathor</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/213684060">said</a>:</p>
<blockquote>
<p>How severe is this "might be"?</p>
</blockquote>
<p>"we have no idea how to make it not UB"-level severe. As in, it seems to be an inevitable consequence of having some rather basic optimizations:</p>
<ul>
<li>dead store elimination</li>
<li>store forwarding</li>
<li>all arithmetic identities on integers (i.e., integers form a ring)</li>
<li>"substitution" on integers, i.e., if you tested <code>x == y</code> then you can replace <code>x</code> by <code>y</code></li>
</ul>
<p>we have no proof that it is an inevitable consequence, but also so far nobody has been able to come up with a semantics that has all of the above.<br>
you can see me shooting down one proposal after the other in <a href="https://github.com/rust-lang/unsafe-code-guidelines/issues/251">https://github.com/rust-lang/unsafe-code-guidelines/issues/251</a>. ;)</p>



<a name="213705603"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213705603" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Connor Horman <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213705603">(Oct 18 2020 at 13:05)</a>:</h4>
<p>I think maintaining provenance in integers is a reasonable idea, though only for appropriately sized integers (that is, casts for size_of::&lt;int&gt;()&gt;=size_of::&lt;usize&gt;() and transmutes/pointer ops for size_of::&lt;int&gt;()==size_of::&lt;usize&gt;()). This is what C does. Though removing provenance doesn't necessarily prevent the optimizations, since it can only introduce UB (at least, under the C or C++ model for pointers, where pointers <em>have</em> to actually be produced from an object), which I suppose is the issue. The optimizations can also be maintained reguardless of the path taken, as even if they would strictly introduce UB, it only matters if the compiler actually does something about that introduced UB, since provenance is almost always simply compiler info.</p>



<a name="213710479"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213710479" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213710479">(Oct 18 2020 at 15:08)</a>:</h4>
<blockquote>
<p>I think maintaining provenance in integers is a reasonable idea</p>
</blockquote>
<p>it is incompatible with points 3 and 4 in my list though. you lose tons of optimizations if integers can have provenance.<br>
that's why I strongly disagree. I think it is a rather bad idea.</p>



<a name="213710496"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213710496" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213710496">(Oct 18 2020 at 15:09)</a>:</h4>
<blockquote>
<p>This is what C does. </p>
</blockquote>
<p>Source? As far as I know the opposite is the case; integers do not have provenance in C: <a href="http://www.open-std.org/jtc1/sc22/wg14/www/docs/n2577.pdf">http://www.open-std.org/jtc1/sc22/wg14/www/docs/n2577.pdf</a></p>



<a name="213710522"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213710522" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213710522">(Oct 18 2020 at 15:09)</a>:</h4>
<p>having provenance for integers is mentioned as a possibility but the main thrust is for PNVI-ae-udi, where the "NVI" is for "not via integers"</p>



<a name="213710682"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213710682" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213710682">(Oct 18 2020 at 15:12)</a>:</h4>
<blockquote>
<p>The optimizations can also be maintained reguardless of the path taken, as even if they would strictly introduce UB,</p>
</blockquote>
<p>Nonono. We do not do optimizations that introduce UB, as that <em>will</em> lead to miscompilations. Even the LLVM and GCC devs agree with that. They just have the problem of working with poorly specified IRs (when it comes to UB), so it can be hard to tell if an optimization introduces UB. Therefore there are quite a few buggy optimizations, and they are known to actually break code. To give just a few examples:</p>
<ul>
<li><a href="https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82282">https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82282</a></li>
<li><a href="https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65752">https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65752</a></li>
<li><a href="https://gcc.gnu.org/bugzilla/show_bug.cgi?id=57359">https://gcc.gnu.org/bugzilla/show_bug.cgi?id=57359</a></li>
<li><a href="https://bugs.llvm.org/show_bug.cgi?id=34548">https://bugs.llvm.org/show_bug.cgi?id=34548</a></li>
<li><a href="https://bugs.llvm.org/show_bug.cgi?id=21725">https://bugs.llvm.org/show_bug.cgi?id=21725</a></li>
<li><a href="https://bugs.llvm.org/show_bug.cgi?id=35229">https://bugs.llvm.org/show_bug.cgi?id=35229</a></li>
<li><a href="https://bugs.llvm.org/show_bug.cgi?id=46380">https://bugs.llvm.org/show_bug.cgi?id=46380</a></li>
</ul>
<p>If you think it is okay for optimizations to introduce UB, it is pointless for you to comment here I think.</p>
<blockquote>
<p>it only matters if the compiler actually does something about that introduced UB, since provenance is almost always simply compiler info.</p>
</blockquote>
<p>You seem to misunderstand how UB works or how we treat it in Rust... much of it is "simply compiler info" (C-style integer overflows, unstable <a href="https://www.ralfj.de/blog/2019/07/14/uninit.html">uninit memory</a>, just to name some examples). That does not make it any less dangerous. In Rust we take that seriously and don't write it off as "oh but if the compiler doesnt notice its fine". No it's not fine. If you disagree, please open a new thread -- this thread here is not about how serious UB is, it is about taking it seriously and finding a way to avoid it.</p>



<a name="213715266"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213715266" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213715266">(Oct 18 2020 at 17:02)</a>:</h4>
<p>I think I'm missing something here. <span class="user-mention" data-user-id="120791">@RalfJ</span> , I read your comment and the paper's section on type punning, and I don't understand why "allowing pointer-to-integer casts would prevent this optimization" seems to be implicitly treated as "so we can't allow them". Why is it not instead treated as "so we can't do that optimization in the presence of pointer-to-integer casts"?</p>



<a name="213715461"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213715461" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213715461">(Oct 18 2020 at 17:06)</a>:</h4>
<p>There's plenty of valid code out there that assumes it can, for instance, have a union (or equivalent via transmute) between a pointer and an integer of the same size, and do things like store useful data in the low bits of an aligned pointer, extracting the actual pointer by reading the integer, masking, and casting to the pointer. Wouldn't this proposal break such code? Or am I misunderstanding what's being proposed here?</p>



<a name="213715503"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213715503" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213715503">(Oct 18 2020 at 17:07)</a>:</h4>
<p><span class="user-mention silent" data-user-id="239881">Josh Triplett</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/213715266">said</a>:</p>
<blockquote>
<p>I think I'm missing something here. <span class="user-mention silent" data-user-id="120791">RalfJ</span> , I read your comment and the paper's section on type punning, and I don't understand why "allowing pointer-to-integer casts would prevent this optimization" seems to be implicitly treated as "so we can't allow them". Why is it not instead treated as "so we can't do that optimization in the presence of pointer-to-integer casts"?</p>
</blockquote>
<p>it seems unrealistic to convince LLVM to not do load forwarding or dead store elimination...</p>



<a name="213715563"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213715563" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213715563">(Oct 18 2020 at 17:08)</a>:</h4>
<p>It seems equally unrealistic to tell people they can't cast pointers to integers.</p>



<a name="213715567"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213715567" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213715567">(Oct 18 2020 at 17:08)</a>:</h4>
<p>"Presence of ptr-int-casts" here means "they are present in the language". Except for a few very controlled circumstances, it does not matter if the bit of code we are looking at uses them or not, as long as the unknown code all around us could use them.</p>



<a name="213715581"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213715581" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213715581">(Oct 18 2020 at 17:09)</a>:</h4>
<p>Is this just another case of "systems programming and strict aliasing are utterly incompatible"?</p>



<a name="213715591"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213715591" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213715591">(Oct 18 2020 at 17:09)</a>:</h4>
<p>it's not just alias analysis</p>



<a name="213715593"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213715593" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213715593">(Oct 18 2020 at 17:09)</a>:</h4>
<p>it's any kind of provenance, even C-style provenance</p>



<a name="213715647"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213715647" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213715647">(Oct 18 2020 at 17:10)</a>:</h4>
<p>This thread is literally the first time I've heard the word "provenance" in this context.</p>



<a name="213715661"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213715661" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213715661">(Oct 18 2020 at 17:10)</a>:</h4>
<p>yeah the C standard unfortunately avoids the term, which does not help for the discussion</p>



<a name="213715666"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213715666" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213715666">(Oct 18 2020 at 17:10)</a>:</h4>
<p>we have <a href="https://rust-lang.github.io/unsafe-code-guidelines/glossary.html#pointer-provenance">a brief definition</a> in the UCG glossary</p>



<a name="213715681"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213715681" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213715681">(Oct 18 2020 at 17:11)</a>:</h4>
<p>C demonstrably <em>has</em> provenance, they just dont talk about it. They can get away with that because it is an axiomatic standard that does not actually describe how to run a C program.</p>



<a name="213715757"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213715757" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213715757">(Oct 18 2020 at 17:12)</a>:</h4>
<p>but arguably this is less of a problem for C than for LLVM, as C does not specify which optimizations are possible and optimizations are usually not done by transforming C code to C code</p>



<a name="213715776"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213715776" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213715776">(Oct 18 2020 at 17:13)</a>:</h4>
<p>future versions of C will likely explicitly talk about provenance: <a href="http://www.open-std.org/jtc1/sc22/wg14/www/docs/n2577.pdf">http://www.open-std.org/jtc1/sc22/wg14/www/docs/n2577.pdf</a></p>



<a name="213715792"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213715792" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213715792">(Oct 18 2020 at 17:14)</a>:</h4>
<p>What does it mean to say that C "has provenance"?</p>



<a name="213715834"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213715834" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213715834">(Oct 18 2020 at 17:14)</a>:</h4>
<p>very roughly speaking it means that a pointer is more than just an address</p>



<a name="213715838"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213715838" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213715838">(Oct 18 2020 at 17:14)</a>:</h4>
<p><a href="https://www.ralfj.de/blog/2018/07/24/pointers-and-bytes.html">"pointers are complicated"</a></p>



<a name="213715844"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213715844" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213715844">(Oct 18 2020 at 17:14)</a>:</h4>
<p>it does not just matter what address a pointer points to, but also how you computed it (hence "provenance")</p>



<a name="213715925"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213715925" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213715925">(Oct 18 2020 at 17:16)</a>:</h4>
<p>now, what that C proposal does is not to care about the perils of optimizing IRs, and just define something reasonable for the surface language. we could do that, too. the issue is that there is no known efficient way to translate that semantics to LLVM IR (or the IR of any other modern heavily optimizing compiler)</p>



<a name="213715929"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213715929" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213715929">(Oct 18 2020 at 17:16)</a>:</h4>
<p>That's not what I mean. I read the glossary, and it's assuming that I already understand why cross-allocation pointers should be UB. It sounds like the primary reason would be alias analysis? but you're saying this is about more than just alias analysis?</p>



<a name="213715939"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213715939" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213715939">(Oct 18 2020 at 17:16)</a>:</h4>
<p>okay I guess that is also part of alias analysis, true</p>



<a name="213715943"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213715943" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213715943">(Oct 18 2020 at 17:17)</a>:</h4>
<p>I somehow thought you meant specifically <code>noalias</code></p>



<a name="213715961"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213715961" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213715961">(Oct 18 2020 at 17:17)</a>:</h4>
<p>No, I was talking specifically about GCC's "strict aliasing", AKA "break my low-level code".</p>



<a name="213715966"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213715966" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213715966">(Oct 18 2020 at 17:17)</a>:</h4>
<p>oh but it's not just that</p>



<a name="213716013"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716013" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716013">(Oct 18 2020 at 17:18)</a>:</h4>
<p>even <code>getelementr</code> (aka <code>ptr::offset</code> and <code>ptr::wrapping_offset</code> in Rust) means there is provenance</p>



<a name="213716031"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716031" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716031">(Oct 18 2020 at 17:18)</a>:</h4>
<p>so not just strict aliasing but also "though shall not do cross-allocation ptr arithmetic", which AFAIK predates strict aliasing and certainly is an orthogonal aspect of pointers in C</p>



<a name="213716062"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716062" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716062">(Oct 18 2020 at 17:19)</a>:</h4>
<p>I think part of my confusion is arising because I'm wondering why the compiler needs to track provenance if it sounds like the only reason that it needs to track provenance is because it tracks provenance. Once a pointer is turned into another pointer by way of an integer, if it doesn't have the original provenance, why would GEP inbounds matter?</p>



<a name="213716123"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716123" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716123">(Oct 18 2020 at 17:20)</a>:</h4>
<p><span class="user-mention silent" data-user-id="239881">Josh Triplett</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/213716062">said</a>:</p>
<blockquote>
<p>I think part of my confusion is arising because I'm wondering why the compiler needs to track provenance if it sounds like the only reason that it needs to track provenance is because it tracks provenance. Once a pointer is turned into another pointer by way of an integer, if it doesn't have the original provenance, why would GEP inbounds matter?</p>
</blockquote>
<p>we are not talking about the compiler tracking provenance, it's about the Abstract Machine that specifies the language tracking provenance. or if you prefer to think about it that way, Miri needs to track provenance if it wants to detect all UB.</p>



<a name="213716131"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716131" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716131">(Oct 18 2020 at 17:20)</a>:</h4>
<p>There's a lot of missing context here. That sounds circular.</p>



<a name="213716142"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716142" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716142">(Oct 18 2020 at 17:21)</a>:</h4>
<p>"it's UB to violate provenance, we track provenance because we want to detect UB".</p>



<a name="213716145"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716145" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716145">(Oct 18 2020 at 17:21)</a>:</h4>
<p>Miri needs to track provenance to tell you when you are using <code>ptr::offset</code> incorrectly. What is circular about that?</p>



<a name="213716188"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716188" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716188">(Oct 18 2020 at 17:22)</a>:</h4>
<p>The fact that "incorrectly" is defined in terms of provenance?</p>



<a name="213716193"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716193" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716193">(Oct 18 2020 at 17:22)</a>:</h4>
<p>I mean you need to define it somehow...</p>



<a name="213716195"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716195" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716195">(Oct 18 2020 at 17:22)</a>:</h4>
<p>provenance is the only way we do</p>



<a name="213716198"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716198" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716198">(Oct 18 2020 at 17:22)</a>:</h4>
<p>One moment...</p>



<a name="213716209"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716209" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716209">(Oct 18 2020 at 17:23)</a>:</h4>
<p>that's no different from saying that Miri  needs to track which memory is initialized to tell you when you incorrectly use uninit memory</p>



<a name="213716228"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716228" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716228">(Oct 18 2020 at 17:23)</a>:</h4>
<p>Right, but there's a <em>reason</em> we define it as "incorrect" to use uninitialized memory. And I'm assuming there's a <em>reason</em> we define it as "incorrect" to use <code>ptr::offset</code> to violate provenance.</p>



<a name="213716233"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716233" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716233">(Oct 18 2020 at 17:23)</a>:</h4>
<p>I'm trying to not go around in circles here. I'm starting from the assumption that when we consider defining something as UB, we're considering doing that because it would enable some compiler optimization that we don't want to do without.</p>



<a name="213716271"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716271" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716271">(Oct 18 2020 at 17:24)</a>:</h4>
<p>if you are asking "why is cross-alloc arithmetic UB", there are two meanings this "why" could have:</p>
<ul>
<li>in the precise language spec, aka the Abstract Machine, what is it that this does that causes a UB error to be raised?</li>
<li>why was the Abstract Machine specified like this to begin with?</li>
</ul>



<a name="213716275"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716275" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716275">(Oct 18 2020 at 17:24)</a>:</h4>
<p>I think the confusion arises because you take my answers to the first bullet as being answers to the 2nd bullet</p>



<a name="213716278"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716278" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716278">(Oct 18 2020 at 17:24)</a>:</h4>
<p>Yes. :)</p>



<a name="213716284"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716284" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716284">(Oct 18 2020 at 17:24)</a>:</h4>
<p>Because in practice the second bullet is the only thing I ever care about, because it's the justification for "why is this UB rather than a compiler bug?".</p>



<a name="213716290"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716290" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716290">(Oct 18 2020 at 17:25)</a>:</h4>
<p>so for the 2nd kind of answer, it is optimizations as you said -- that all have to do with aliasing</p>



<a name="213716298"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716298" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716298">(Oct 18 2020 at 17:25)</a>:</h4>
<p>Also, I'm not asking specifically about <code>ptr::offset</code> across allocations, at least not today. :)</p>



<a name="213716345"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716345" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716345">(Oct 18 2020 at 17:26)</a>:</h4>
<p>Right now I'm trying to understand why the compiler needs to enforce that I can't do the equivalent of <code>some_struct *real_ptr = (some_struct *)(((unsigned long )ptr) &amp; ~7);</code>.</p>



<a name="213716354"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716354" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716354">(Oct 18 2020 at 17:26)</a>:</h4>
<p>basically compilers can benefit a lot from being able to assume that pointers "derived from" two different allocations (different <code>malloc</code>, different local variables) can never alias no matter how much arithmetic you do to them</p>



<a name="213716366"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716366" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716366">(Oct 18 2020 at 17:27)</a>:</h4>
<p><span class="user-mention silent" data-user-id="239881">Josh Triplett</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/213716345">said</a>:</p>
<blockquote>
<p>Right now I'm trying to understand why the compiler needs to enforce that I can't do the equivalent of <code>some_struct *real_ptr = (some_struct *)(((unsigned long )ptr) &amp; ~7);</code>.</p>
</blockquote>
<p>I dont understand what that has to do with this thread</p>



<a name="213716373"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716373" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716373">(Oct 18 2020 at 17:27)</a>:</h4>
<p>also I'm afraid I need to leave, I should have started cooking 30min ago^^</p>



<a name="213716378"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716378" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716378">(Oct 18 2020 at 17:27)</a>:</h4>
<p>The subject of this thread is about transmuting between pointers and integers. My concern is about transmuting a pointer to an integer, doing math on it, then transmuting it back to a pointer and using it.</p>



<a name="213716398"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716398" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716398">(Oct 18 2020 at 17:28)</a>:</h4>
<p>your example doesnt transmute though, it casts</p>



<a name="213716423"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716423" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716423">(Oct 18 2020 at 17:28)</a>:</h4>
<p>...that those aren't equivalent is scaring me.</p>



<a name="213716429"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716429" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716429">(Oct 18 2020 at 17:28)</a>:</h4>
<p><span class="user-mention silent" data-user-id="120791">RalfJ</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/213716373">said</a>:</p>
<blockquote>
<p>also I'm afraid I need to leave, I should have started cooking 30min ago^^</p>
</blockquote>
<p>No problem.</p>



<a name="213716440"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716440" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716440">(Oct 18 2020 at 17:29)</a>:</h4>
<p>/me would very much like to understand this better, and in particular, understand whether the proposal here would make massive amounts of existing code UB.</p>



<a name="213716442"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716442" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716442">(Oct 18 2020 at 17:29)</a>:</h4>
<p>I can understand that, but that is a basic consequence of having provenance, which is to say it is a basic consequence of there being rules that depend on how you compute a particular address</p>



<a name="213716451"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716451" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716451">(Oct 18 2020 at 17:29)</a>:</h4>
<p><span class="user-mention silent" data-user-id="239881">Josh Triplett</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/213716440">said</a>:</p>
<blockquote>
<p>/me would very much like to understand this better, and in particular, understand whether the proposal here would make massive amounts of existing code UB.</p>
</blockquote>
<p>I think it might help to do a call at some point. there is a <em>lot</em> of information to transmit here and text chat bandwidth isn't great.^^</p>



<a name="213716454"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716454" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716454">(Oct 18 2020 at 17:29)</a>:</h4>
<p>Yes, that seems like a good idea.</p>



<a name="213716456"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716456" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716456">(Oct 18 2020 at 17:29)</a>:</h4>
<p>Quick question:</p>



<a name="213716508"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716508" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716508">(Oct 18 2020 at 17:30)</a>:</h4>
<p>Is doing this kind of transmute-then-calculate-then-transmute-back on a pointer OK if the resulting pointer ends up being from the same allocation?</p>



<a name="213716530"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716530" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716530">(Oct 18 2020 at 17:30)</a>:</h4>
<p>also keep in mind that it is not like I want to make tons of code UB. what I want is to have a description of LLVM IR semantics that is self-consistent. inconsistencies such as what we are talking about usually indicate a potential for miscompilations. sadly so far there seems to be no self-consistent description that does not have some really scary UB that we'd rather not have. this is an open research problem.</p>



<a name="213716548"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716548" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716548">(Oct 18 2020 at 17:31)</a>:</h4>
<p><span class="user-mention silent" data-user-id="239881">Josh Triplett</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/213716508">said</a>:</p>
<blockquote>
<p>Is doing this kind of transmute-then-calculate-then-transmute-back on a pointer OK if the resulting pointer ends up being from the same allocation?</p>
</blockquote>
<p>if it is a transmute, we don't have a good way of supporting that in our formal models of LLVM. but your code does casts, so it is fine.</p>



<a name="213716596"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716596" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716596">(Oct 18 2020 at 17:32)</a>:</h4>
<p><span class="user-mention silent" data-user-id="120791">RalfJ</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/213716530">said</a>:</p>
<blockquote>
<p>also keep in mind that it is not like I want to make tons of code UB. what I want is to have a description of LLVM IR semantics that is self-consistent. inconsistencies such as what we are talking about usually indicate a potential for miscompilations. sadly so far there seems to be no self-consistent description that does not have some really scary UB that we'd rather not have. this is an open research problem.</p>
</blockquote>
<p>I realize. And keep in mind that I'm not trying to make compiler-writer's lives difficult; I'm just aware of a lot of existing code out there. I don't take the hard-line position that "we should never declare things UB that code wants to do, it's always the compiler's problem". I also appreciate that you don't take the reverse hard-line position about UB, either. :)</p>



<a name="213716602"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716602" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716602">(Oct 18 2020 at 17:32)</a>:</h4>
<p><a href="https://bugs.llvm.org/show_bug.cgi?id=34548">https://bugs.llvm.org/show_bug.cgi?id=34548</a> is a concrete example that shows that casting between ptrs and ints is <em>not</em> a NOP in LLVM IR, and that treating it as a NOP leads to miscompilations.</p>



<a name="213716618"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716618" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716618">(Oct 18 2020 at 17:33)</a>:</h4>
<p>that bugreport is by a coauthor of mine on <a href="https://people.mpi-sws.org/~jung/twinsem/twinsem.pdf">this paper</a>. they found similar bugs in GCC, MSCV, and ICC, if memory serves right. "bugs" here being end-to-end miscompilations of conforming (if contrived) C code.</p>



<a name="213716629"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716629" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716629">(Oct 18 2020 at 17:33)</a>:</h4>
<p>so, treating transmutes and casts between ints and ptrs as being the same thing is clearly natural to many people, and also clearly does not work</p>



<a name="213716685"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716685" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716685">(Oct 18 2020 at 17:34)</a>:</h4>
<p>/me will stare at that bug report for a bit.</p>



<a name="213716701"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716701" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716701">(Oct 18 2020 at 17:34)</a>:</h4>
<p><span class="user-mention silent" data-user-id="120791">RalfJ</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/213716548">said</a>:</p>
<blockquote>
<p><span class="user-mention silent" data-user-id="239881">Josh Triplett</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/213716508">said</a>:</p>
<blockquote>
<p>Is doing this kind of transmute-then-calculate-then-transmute-back on a pointer OK if the resulting pointer ends up being from the same allocation?</p>
</blockquote>
<p>if it is a transmute, we don't have a good way of supporting that in our formal models of LLVM. but your code does casts, so it is fine.</p>
</blockquote>
<p>I think this is a key point I want to understand better. Even more fundamental than "pointers are just integers" is "transmute is a cast", and I'd like to understand why that isn't the case.</p>



<a name="213716713"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716713" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716713">(Oct 18 2020 at 17:35)</a>:</h4>
<p>Also, please don't let me keep you right now; go enjoy your meal. :)</p>



<a name="213716760"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716760" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716760">(Oct 18 2020 at 17:36)</a>:</h4>
<p>if you want some more related bugreports in this area, here's a short list:</p>
<ul>
<li><a href="https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82282">https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82282</a></li>
<li><a href="https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65752">https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65752</a></li>
<li><a href="https://bugs.llvm.org/show_bug.cgi?id=35229">https://bugs.llvm.org/show_bug.cgi?id=35229</a> (I particularly like how they retitled this one from "miscompilation" to "undesired optimization results" <span aria-label="rofl" class="emoji emoji-1f923" role="img" title="rofl">:rofl:</span> )</li>
</ul>



<a name="213716766"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716766" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716766">(Oct 18 2020 at 17:36)</a>:</h4>
<p>Also, wait, how is that a conforming C program?</p>



<a name="213716778"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716778" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716778">(Oct 18 2020 at 17:37)</a>:</h4>
<blockquote>
<p>Even more fundamental than "pointers are just integers" is "transmute is a cast", and I'd like to understand why that isn't the case.</p>
</blockquote>
<p>curious, to me if pointers are not integers then naturally casts are not transmutes... they need to convert between the two representations after all.</p>



<a name="213716788"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716788" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716788">(Oct 18 2020 at 17:37)</a>:</h4>
<p><span class="user-mention silent" data-user-id="239881">Josh Triplett</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/213716766">said</a>:</p>
<blockquote>
<p>Also, wait, how is that a conforming C program?</p>
</blockquote>
<p>Oh, wait, I follow the logic now.</p>



<a name="213716789"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716789" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716789">(Oct 18 2020 at 17:37)</a>:</h4>
<p>in particular since pointers carry <em>more</em> information than integers, which you seem to be willing to go with, then clearly casting ptr-&gt;int-&gt;ptr loses some information. a transmute would not lose information.</p>



<a name="213716833"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716833" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716833">(Oct 18 2020 at 17:38)</a>:</h4>
<p><span class="user-mention silent" data-user-id="120791">RalfJ</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/213716789">said</a>:</p>
<blockquote>
<p>in particular since pointers carry <em>more</em> information than integers, which you seem to agree with, then clearly casting ptr-&gt;int-&gt;ptr loses some information. a transmute would not lose information.</p>
</blockquote>
<p>I'm not saying I agree with that yet, it's more that I was trying to treat those as orthogonal points of confusion. Possibly I can't. :)</p>



<a name="213716836"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716836" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716836">(Oct 18 2020 at 17:38)</a>:</h4>
<p>I edited to "seem to be willing to go with" ;)</p>



<a name="213716840"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716840" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716840">(Oct 18 2020 at 17:38)</a>:</h4>
<p>For now, let's go with "willing to hear out the justifications for while separately screaming into the <code>(void *)</code>". ;)</p>



<a name="213716841"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716841" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716841">(Oct 18 2020 at 17:38)</a>:</h4>
<p>and indeed these two concerns are deeply linked and cannot be separated</p>



<a name="213716867"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716867" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716867">(Oct 18 2020 at 17:39)</a>:</h4>
<p>(As a separate irony here, classically C compiler folks told systems programming folks "oh, don't do casts involving pointers, use unions instead".)</p>



<a name="213716915"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716915" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716915">(Oct 18 2020 at 17:40)</a>:</h4>
<p>("because then you won't get strict aliasing warnings")</p>



<a name="213716918"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716918" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716918">(Oct 18 2020 at 17:40)</a>:</h4>
<p>(That folk-wisdom has propagated widely.)</p>



<a name="213716980"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213716980" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213716980">(Oct 18 2020 at 17:42)</a>:</h4>
<p><span class="user-mention" data-user-id="120791">@RalfJ</span> I'm incredibly thankful that you're putting so much effort into this.</p>



<a name="213717070"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213717070" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213717070">(Oct 18 2020 at 17:45)</a>:</h4>
<p>wasn't that wisdom though to use unions for transmutes instead of ptr casts? that seems reaosnable... like, dont cast your <code>int*</code>to a <code>float*</code>, use a union instead.</p>



<a name="213717132"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213717132" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213717132">(Oct 18 2020 at 17:46)</a>:</h4>
<p>I would <em>love</em> to hear what makes you describe that as "reasonable", but I'm still keeping you from going and cooking. :)</p>



<a name="213717136"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213717136" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213717136">(Oct 18 2020 at 17:46)</a>:</h4>
<p>^^ another time, another time</p>



<a name="213717153"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213717153" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213717153">(Oct 18 2020 at 17:47)</a>:</h4>
<p>(also I should say that was a "reasonable assuming TBAA", and I dont actually think TBAA is reasonable)</p>



<a name="213717156"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213717156" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213717156">(Oct 18 2020 at 17:47)</a>:</h4>
<p>I suspect, given the relative topics of our dissertations, we could likely get into quite an epic conversation about the semantics of pointers and memory accesses, in hardware vs compilers".</p>



<a name="213717164"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213717164" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213717164">(Oct 18 2020 at 17:47)</a>:</h4>
<p><span class="user-mention silent" data-user-id="120791">RalfJ</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/213717153">said</a>:</p>
<blockquote>
<p>(also I should say that was a "reasonable assuming TBAA", and I dont actually think TBAA is reasonable)</p>
</blockquote>
<p>Ah, now <em>that</em> makes much more sense, on both counts. :)</p>



<a name="213717168"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213717168" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213717168">(Oct 18 2020 at 17:47)</a>:</h4>
<p>(And I'm very glad that you don't think TBAA is a reasonable assumption.)</p>



<a name="213717233"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213717233" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213717233">(Oct 18 2020 at 17:49)</a>:</h4>
<p><span class="user-mention silent" data-user-id="239881">Josh Triplett</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/213716980">said</a>:</p>
<blockquote>
<p><span class="user-mention silent" data-user-id="120791">RalfJ</span> I'm incredibly thankful that you're putting so much effort into this.</p>
</blockquote>
<p>I'm incredibly thankful that y'all are willing to indulge me with my theoretical concerns. I strongly believe we can avoid many of the problems around UB in C/C++ and miscompilations such as the above -- miscompilations not due to bugs but due to fundamental problems with the IR -- by being principled about our language semantics, and it is great to work with people that are willing to take this seriously :)</p>



<a name="213717247"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213717247" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213717247">(Oct 18 2020 at 17:49)</a>:</h4>
<p><span class="user-mention silent" data-user-id="239881">Josh Triplett</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/213717156">said</a>:</p>
<blockquote>
<p>I suspect, given the relative topics of our dissertations, we could likely get into quite an epic conversation about the semantics of pointers and memory accesses, in hardware vs compilers".</p>
</blockquote>
<p>I need to go look up your dissertation :) but that seems likely indeed</p>



<a name="213717297"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213717297" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213717297">(Oct 18 2020 at 17:50)</a>:</h4>
<p><span class="user-mention silent" data-user-id="120791">RalfJ</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/213717233">said</a>:</p>
<blockquote>
<p><span class="user-mention silent" data-user-id="239881">Josh Triplett</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/213716980">said</a>:</p>
<blockquote>
<p><span class="user-mention silent" data-user-id="120791">RalfJ</span> I'm incredibly thankful that you're putting so much effort into this.</p>
</blockquote>
<p>I'm incredibly thankful that y'all are willing to indulge me with my theoretical concerns. I strongly believe we can avoid many of the problems around UB in C/C++ and miscompilations such as the above -- miscompilations not due to bugs but due to fundamental problems with the IR -- by being principled about our language semantics, and it is great to work with people that are willing to take this seriously :)</p>
</blockquote>
<p>I think we have many decades of technical debt to work past, where compiler optimizations and extant low-level code have evolved incompatibly, and I'd love to see that paid off and kept that way.</p>



<a name="213717323"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213717323" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213717323">(Oct 18 2020 at 17:51)</a>:</h4>
<p><span class="user-mention silent" data-user-id="120791">RalfJ</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/213717247">said</a>:</p>
<blockquote>
<p><span class="user-mention silent" data-user-id="239881">Josh Triplett</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/213717156">said</a>:</p>
<blockquote>
<p>I suspect, given the relative topics of our dissertations, we could likely get into quite an epic conversation about the semantics of pointers and memory accesses, in hardware vs compilers".</p>
</blockquote>
<p>I need to go look up your dissertation :) but that seems likely indeed</p>
</blockquote>
<p>It's on concurrent programming without locks, so we have to care about how both the compiler and the hardware might misinterpret concurrent accesses to the same memory without locking.</p>



<a name="213718797"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213718797" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Connor Horman <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213718797">(Oct 18 2020 at 18:29)</a>:</h4>
<blockquote>
<blockquote>
<p>This is what C does. </p>
</blockquote>
<p>Source? As far as I know the opposite is the case; integers do not have provenance in C: <a href="http://www.open-std.org/jtc1/sc22/wg14/www/docs/n2577.pdf">http://www.open-std.org/jtc1/sc22/wg14/www/docs/n2577.pdf</a></p>
</blockquote>
<p>C++ and C both define the round trip ptr-&gt;int-&gt;ptr cast as yielding the same pointer, and part of the pointer value is it's provenance. One of the two also allows some basic arithmetic operations (I'm fairly certain it's C, but it may be C++) if the result is relatable to a pointer obtainable by a program with defined behaviour (so, (&amp;a+1)==(int*)(((uintptr_t)&amp;a)+sizeof(int)) is, in fact, correct.). As I have mentioned on github in ucg issues, pointers are absolutely annoying, and this round trip is one of the <em>few</em> ways I allow pointers to actual things to be "invented". The idea is that if you cast a pointer to an int, and then send the int off elsewhere, you have to assume the pointee (and anything reachable from it) is reachable from any code that could possibly gain access to that int (within the lifetime of said pointee). As far as I know, neither C nor C++ compilers are at all hindered by this, until you actually perform the ptr-&gt;int cast.</p>



<a name="213719520"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213719520" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Connor Horman <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213719520">(Oct 18 2020 at 18:48)</a>:</h4>
<p><a href="https://eel.is/c++draft/expr.reinterpret.cast#5">https://eel.is/c++draft/expr.reinterpret.cast#5</a> is my source for C++, Apparently C does not have such a requirement (only requiring an integer constant expression with value 0 to convert to a null pointer, and the conversion is otherwise implementation-defined).</p>



<a name="213720224"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213720224" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213720224">(Oct 18 2020 at 19:03)</a>:</h4>
<blockquote>
<p>define the round trip ptr-&gt;int-&gt;ptr cast as yielding the same pointer, and part of the pointer value is it's provenance</p>
</blockquote>
<p>hm, interesting. I assume the <a href="http://www.open-std.org/jtc1/sc22/wg14/www/docs/n2577.pdf">PNVI proposals</a> will have to change that wording when being ported to C++.</p>



<a name="213720237"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213720237" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213720237">(Oct 18 2020 at 19:03)</a>:</h4>
<p>the C++ standard never explicitly acknowledges that pointers have provenance so I feel the authors were not quire aware of what they are specifying here</p>



<a name="213720255"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213720255" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213720255">(Oct 18 2020 at 19:04)</a>:</h4>
<p>FWIW, I can <a href="https://bugs.llvm.org/show_bug.cgi?id=34548">say for sure</a> that in LLVM, this roundtrip is <em>not</em> returning the same pointer. (or if it does they need to disable many other optimizations.)</p>



<a name="213720329"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213720329" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213720329">(Oct 18 2020 at 19:05)</a>:</h4>
<p>which makes clang's job of translating from C++ semantics to LLVM semantics... interesting to say the last.^^</p>



<a name="213720436"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213720436" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213720436">(Oct 18 2020 at 19:08)</a>:</h4>
<p>my hypothesis is that whoever wrote that sentence assumed that pointers and (ptr-sized) integers are isomorphic, i.e., they did not consider provenance. most people are rather astonished when I tell them about these things so my conclusion is, most people are not aware of the subtleties here. that also explains why basically all major compilers made the same mistake here.</p>



<a name="213721616"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213721616" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213721616">(Oct 18 2020 at 19:34)</a>:</h4>
<p>I take this to be evidence that it's very unintuitive and possibly not a good idea. I like the concrete model best, because it's, you know, what the computer <em>actually does</em></p>



<a name="213722774"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213722774" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213722774">(Oct 18 2020 at 20:00)</a>:</h4>
<p><span class="user-mention silent" data-user-id="271719">Mario Carneiro</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/213721616">said</a>:</p>
<blockquote>
<p>I take this to be evidence that it's very unintuitive and possibly not a good idea. I like the concrete model best, because it's, you know, what the computer <em>actually does</em></p>
</blockquote>
<p>but this implies you dislike the vast majority of memory-related optimizations that compilers do... there's a reason no optimized language uses that model. Most get away with provenance easily as they do not support ptr-int-casts. Those that do have ptr-int-casts... well, there's a price for eating your cake and having it, too. either you pay in optimizations or you pay in UB.</p>



<a name="213722866"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213722866" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213722866">(Oct 18 2020 at 20:01)</a>:</h4>
<p>also elsewhere you were arguing for way <em>stricter</em> UB (equating validity and safety -- which implies provenance and way more), which I cannot square with you arguing for extremely relaxed UB here. (but that particular discussion is likely off-topic here.)</p>



<a name="213725332"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213725332" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213725332">(Oct 18 2020 at 20:54)</a>:</h4>
<p>heh, explaining why those actually are not contradictory, at least in my perfect vision of a compiler, would definitely be off topic since it gets into some personal/research projects. I'm certainly not against memory related optimizations, I just think there is another way to achieve them than adding provenance to the execution semantics</p>



<a name="213730535"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213730535" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Quy Nguyen <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213730535">(Oct 18 2020 at 22:58)</a>:</h4>
<blockquote>
<p>you pay in optimizations or you pay in UB</p>
</blockquote>
<p>Is there a model that allows some casts to not be UB? The twin allocation paper just states that ptrtoint casts are poison, expect for something near the jpeg6 which makes pointers casted from an int undefined to deref?</p>



<a name="213733174"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/213733174" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Connor Horman <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#213733174">(Oct 19 2020 at 00:18)</a>:</h4>
<blockquote>
<p>the C++ standard never explicitly acknowledges that pointers have provenance so I feel the authors were not quire aware of what they are specifying here</p>
</blockquote>
<p>Well, the C++ standard doesn't define provenance by name, but the rest of the rules imply it exists. In fact, std::launder was added to reinvent the provenance, because const/reference members and placement-new interacted brilliantly, entirely without any issues whatsoever. <br>
Anyways, my argument is the same, the fact provenance information is preserved by round-trip casts wouldn't alter any optimizations, except where you perform the first cast.</p>



<a name="214426478"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/214426478" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#214426478">(Oct 24 2020 at 12:58)</a>:</h4>
<blockquote>
<p>Well, the C++ standard doesn't define provenance by name, but the rest of the rules imply it exists. </p>
</blockquote>
<p>Only a select few people seem aware of this, given how wide-spread mistakes such as using <code>x == y</code> as clue to replace <code>x</code> by <code>y</code>, or optimizing the cast roundtrip, are.</p>



<a name="214426536"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/214426536" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#214426536">(Oct 24 2020 at 12:59)</a>:</h4>
<blockquote>
<p>Anyways, my argument is the same, the fact provenance information is preserved by round-trip casts wouldn't alter any optimizations, except where you perform the first cast.</p>
</blockquote>
<p>As I said above, if cast roundtrips preserve provenance, then integers have provenance, and that <em>does</em> disable many optimizations. But it takes a very concrete operational model to see this, which is why it is very hard to tell from the standard.</p>



<a name="214426624"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/214426624" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#214426624">(Oct 24 2020 at 13:01)</a>:</h4>
<p>specifically, there is a sequence of three optimizations that turns a program without UB into one with UB:</p>
<ul>
<li>exploiting pointer provenance,</li>
<li>optimizing away a cast roundtrip,</li>
<li>exploiting lack of provenance on integers.</li>
</ul>
<p>This disproves your statement (once I have actually shown these optimizations). I have long planned to write a blog post about this; I might prioritize this a bit more given recent discussions.</p>



<a name="214427118"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/214427118" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#214427118">(Oct 24 2020 at 13:11)</a>:</h4>
<p>So given that, I wonder why you think that it would <em>not</em> alter any optimizations. What is the proof of that? Which optimizations are possible is an <em>extremely</em> subtle question and heavily depends on tiny details of how the semantics of a language is set up. I do not think the C/C++ standards are written precisely enough for that; this depends a lot on how they are interpreted. (To give an example unrelated to provenance, the answer to <a href="http://www.open-std.org/jtc1/sc22/wg14/www/docs/n1793.pdf">questions like this</a> has large impact on possible optimizations, and yet the standard still does not clarify the exact nature of indeterminate and unspecified values.)</p>



<a name="214432724"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/214432724" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Connor Horman <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#214432724">(Oct 24 2020 at 15:15)</a>:</h4>
<p>The simple answer comes down to my point that implementations may define the results of UB. The compiler thus is allowed to introduce UB in its transformations, as long as it doesn't violate the <em>as-if</em> rule, that is, it's treated as though it didn't introduce the UB. As an example, llvm, in lifting certain operations (like signed arithmetic), can introduce UB to a C or C++ program that didn't have it. It translates this into producing poison when the corresponding operation has UB, instead of causing actual UB in llvm. If x and y compare equal, but x points to an object and y doesn't, the compiler can choose to access x's pointee through y, provided it acts as-if it still used x to perform the access. Same with pointer arithmetic. Similarly, the compiler can choose to not introduce UB when the language rules imply it would. For example, if a write to a pointer of type usize delete provenance information, this is an optimization time artifact, so the compiler can choose to perform the DSE, because it only affects how it decides to optimize other (potentially unrelated) code. If it wasn't going to optimize it anyways, perhaps because it's so far away its effectively a black-box, nothing is sacrificed by maintaining provenance when the operation would destroy it.</p>



<a name="214433896"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/214433896" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#214433896">(Oct 24 2020 at 15:40)</a>:</h4>
<blockquote>
<p>The compiler thus is allowed to introduce UB in its transformations, as long as it doesn't violate the as-if rule, that is, it's treated as though it didn't introduce the UB.</p>
</blockquote>
<p>This is only true if you run no further optimizations after this one. Which is not how compilers work.<br>
If you want to be able to run optimizations on a single IR in any order, you need to ensure that each optimization is justified against the semantics of that one IR -- it may rely on the program not being UB, and it may not produce a program that is UB.</p>



<a name="214433983"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/214433983" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#214433983">(Oct 24 2020 at 15:42)</a>:</h4>
<p>You could in theory do the optimization while translating to a <em>different IR</em>, with a different semantics, where this is not UB. But then all further optimizations need to respect that other IR's different UB rules! It's nowhere near as easy as you make it sound.</p>



<a name="214434650"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/214434650" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#214434650">(Oct 24 2020 at 15:58)</a>:</h4>
<p>This seems to be related to <a href="https://github.com/rust-lang/unsafe-code-guidelines/issues/253#issuecomment-715953308">this point</a>: you seem to treat UB as being somehow separate from the rest of the language semantics, but that is not possible. If you want to have any chance of actually arguing for the correctness of your compiler, you need to very carefully ensure that no UB is ever introduced by the compiler. Otherwise you will quickly end up in a situation where one compiler pass "introduces UB", and then the next compiler pass assumes that there is no UB:</p>
<p>(These passes will likely run on an IR, in which case it is the precise semantics-- including UB! -- of that IR that are relevant. Then it also becomes crucial to show that UB-free programs in the src language are UB-free after being translated into the IR.)</p>



<a name="214434827"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/214434827" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#214434827">(Oct 24 2020 at 16:01)</a>:</h4>
<blockquote>
<p>As an example, llvm, in lifting certain operations (like signed arithmetic), can introduce UB to a C or C++ program that didn't have it. </p>
</blockquote>
<p>Not it cannot and does not.</p>
<blockquote>
<p>It translates this into producing poison when the corresponding operation has UB, instead of causing actual UB in llvm</p>
</blockquote>
<p>See, it does <em>not</em> cause UB because this operation is not UB in LLVM IR. It is important to always keep in mind which language a program is in, and which UB rules that language has.</p>
<p>No LLVM optimization may ever introduce something that is UB in LLVM IR. And it is impossible to define an IR in a way that you can do all of the optimizations I listed above. <em>That</em> is the problem we are talking about.</p>



<a name="214435263"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/214435263" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#214435263">(Oct 24 2020 at 16:10)</a>:</h4>
<p>If you want to learn about ways to make a compiler sufficiently precise that we can actually prove its correctness, I suggest looking for "CompCert". It is the only compiler that <a href="https://www.cs.utah.edu/~regehr/papers/pldi11-preprint.pdf">the Csmith folks</a> were unable to find an optimization bug in.<br>
I am not suggesting we have to verify the Rust compiler. But so far, we (as a species) know exactly one way to build a compiler that is not broken, and that is to be principled about having a proper and precise semantics for each IR along the compilation chain, and ensuring that each optimization only relies on the assumptions encoded in the source language (i.e., it assumes the source program is not UB, and nothing else) and satisfies all the assumptions of the target language (i.e., it ensures the target program is not UB).</p>



<a name="214435306"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/214435306" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#214435306">(Oct 24 2020 at 16:11)</a>:</h4>
<p>so I am not going to entertain ideas of a compiler that introduces UB in some optimizations but then somehow claims that this is okay because it's not really UB or so. that is not a way to build a reliable compiler.<br>
(FWIW, it is also not how modern compilers are built, to my knowledge. They all have various IRs each with their own notion of UB, and aim to ensure that no UB is introduced by an optimization. Unfortunately, they are usually not spending a lot of time figuring out what exactly is and is not UB in their IRs, which leads to <a href="https://www.cs.utah.edu/~regehr/papers/undef-pldi17.pdf">many bugs</a> that are only fixed by taking the more principled, language-centric approach of taking the IR serious as a language and defining its UB precisely.)</p>



<a name="228487925"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228487925" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jack Wrenn <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228487925">(Mar 02 2021 at 21:20)</a>:</h4>
<p><span class="user-mention" data-user-id="120791">@RalfJ</span>, I'm trying to page this back in so I can scope out what the implementation might have to handle.</p>
<p>The impression I get is that both:</p>
<ul>
<li>transmutations from pointers to integers</li>
<li>transmutations from integers to pointers</li>
</ul>
<p>are unsound. Is that correct?</p>



<a name="228488327"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228488327" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jack Wrenn <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228488327">(Mar 02 2021 at 21:23)</a>:</h4>
<p>I'm not totally clear on if/how pointer casting differs from transmutation. I think of these functions as being equivalent:</p>
<div class="codehilite" data-code-language="Rust"><pre><span></span><code><span class="k">pub</span><span class="w"> </span><span class="k">unsafe</span><span class="w"> </span><span class="k">fn</span> <span class="nf">convert_with_cast</span><span class="o">&lt;</span><span class="n">Src</span><span class="p">,</span><span class="w"> </span><span class="n">Dst</span><span class="o">&gt;</span><span class="p">(</span><span class="n">src</span>: <span class="nc">Src</span><span class="p">)</span><span class="w"> </span>-&gt; <span class="nc">Dst</span><span class="w"></span>
<span class="p">{</span><span class="w"></span>
<span class="w">    </span><span class="kd">let</span><span class="w"> </span><span class="n">dst</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="n">core</span>::<span class="n">ptr</span>::<span class="n">read_unaligned</span><span class="p">(</span><span class="o">&amp;</span><span class="n">src</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="o">*</span><span class="k">const</span><span class="w"> </span><span class="n">Src</span><span class="w"> </span><span class="k">as</span><span class="w"> </span><span class="o">*</span><span class="k">const</span><span class="w"> </span><span class="n">Dst</span><span class="p">);</span><span class="w"></span>
<span class="w">    </span><span class="n">core</span>::<span class="n">mem</span>::<span class="n">forget</span><span class="p">(</span><span class="n">src</span><span class="p">);</span><span class="w"></span>
<span class="w">    </span><span class="n">dst</span><span class="w"></span>
<span class="p">}</span><span class="w"></span>

<span class="k">pub</span><span class="w"> </span><span class="k">unsafe</span><span class="w"> </span><span class="k">fn</span> <span class="nf">convert_with_union</span><span class="o">&lt;</span><span class="n">Src</span><span class="p">,</span><span class="w"> </span><span class="n">Dst</span><span class="o">&gt;</span><span class="p">(</span><span class="n">src</span>: <span class="nc">Src</span><span class="p">)</span><span class="w"> </span>-&gt; <span class="nc">Dst</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w">    </span><span class="k">use</span><span class="w"> </span><span class="n">core</span>::<span class="n">mem</span>::<span class="n">ManuallyDrop</span><span class="p">;</span><span class="w"></span>

<span class="w">    </span><span class="cp">#[repr(C)]</span><span class="w"></span>
<span class="w">    </span><span class="k">union</span> <span class="nc">Transmute</span><span class="o">&lt;</span><span class="n">Src</span><span class="p">,</span><span class="w"> </span><span class="n">Dst</span><span class="o">&gt;</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w">        </span><span class="n">src</span>: <span class="nc">ManuallyDrop</span><span class="o">&lt;</span><span class="n">Src</span><span class="o">&gt;</span><span class="p">,</span><span class="w"></span>
<span class="w">        </span><span class="n">dst</span>: <span class="nc">ManuallyDrop</span><span class="o">&lt;</span><span class="n">Dst</span><span class="o">&gt;</span><span class="p">,</span><span class="w"></span>
<span class="w">    </span><span class="p">}</span><span class="w"></span>

<span class="w">    </span><span class="n">ManuallyDrop</span>::<span class="n">into_inner</span><span class="p">(</span><span class="w"></span>
<span class="w">        </span><span class="n">Transmute</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="n">src</span>: <span class="nc">ManuallyDrop</span>::<span class="n">new</span><span class="p">(</span><span class="n">src</span><span class="p">)</span><span class="w"> </span><span class="p">}.</span><span class="n">dst</span><span class="p">)</span><span class="w"></span>
<span class="p">}</span><span class="w"></span>
</code></pre></div>
<p>Are they not?</p>



<a name="228489931"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228489931" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Lokathor <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228489931">(Mar 02 2021 at 21:33)</a>:</h4>
<p>I also care greatly about much of this because a lot of unsafe code transmutes between ptr/usize/isize</p>



<a name="228563917"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228563917" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Daniel Henry-Mantilla <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228563917">(Mar 03 2021 at 09:53)</a>:</h4>
<p>AFAIK, <code>transmute</code>, dereference of a casted pointer, and going through the union they all do the <em>same</em> thing: that of transmuting the bag of bytes (≠ cast). I'd say the last two cases are the reason <code>transmute</code> also operates that way (for consistency).<br>
So, if having a "transmute that can break things (such as pointer provenance) when used with pointer types" is annoying for your design, <span class="user-mention" data-user-id="219211">@Jack Wrenn</span>, you can try to explicitly use a special transmute that differs from the above semantics. With some support from the compiler (actually, just <code>min_specialization</code> ought to suffice), that shouldn't be difficult. But I don't know how useful such a "smarter" transmute would be, precisely because it doesn't generalize to indirection:</p>
<div class="codehilite" data-code-language="Rust"><pre><span></span><code><span class="n">cast_else_transmute</span>::<span class="o">&lt;*</span><span class="k">const</span><span class="w"> </span><span class="kt">u8</span><span class="p">,</span><span class="w"> </span><span class="kt">usize</span><span class="o">&gt;</span><span class="p">(</span><span class="err">…</span><span class="p">)</span><span class="w"> </span><span class="c1">// OK</span>
<span class="n">cast_else_transmute</span>::<span class="o">&lt;&amp;'</span><span class="na">lt</span><span class="w"> </span><span class="o">*</span><span class="k">const</span><span class="w"> </span><span class="kt">u8</span><span class="p">,</span><span class="w"> </span><span class="o">&amp;'</span><span class="na">lt</span><span class="w"> </span><span class="kt">usize</span><span class="o">&gt;</span><span class="p">(</span><span class="err">…</span><span class="p">)</span><span class="w"> </span><span class="c1">// Uhhh</span>
</code></pre></div>
<p>I personally think that "carrying 'invisible compiler information'" such as pointer provenance ought to be encoded in your safe-transmute RFC, precisely to be able to yield a more correct generalization.</p>
<p>As a very naïve approach, only tailored for pointer provenance and nothing else, you could have a trait that we assume magically implemented for <em>all</em> <code>Sized</code> types</p>
<div class="codehilite" data-code-language="Rust"><pre><span></span><code><span class="k">trait</span><span class="w"> </span><span class="n">MayCarryProvenance</span><span class="w"> </span>: <span class="nb">Sized</span> <span class="p">{</span><span class="w"></span>
<span class="w">    </span><span class="k">const</span><span class="w"> </span><span class="n">DoesIt</span>: <span class="kt">bool</span><span class="p">;</span><span class="w"> </span><span class="c1">// or type-level Bool while eq constraints on assoc bools don't work.</span>
<span class="p">}</span><span class="w"></span>
</code></pre></div>
<p>And then you can only transmute when <code>Dst : MayCarryProvenance&lt;DoesIt = &lt;Src as MayCarryProvenance&gt;::DoesIt&gt;</code> with the one exception of no-indirection transmute, where the specialized <code>cast_else_transmute</code> could kick in.</p>
<p>But I generally don't see, even outside your RFC, how it would be possible to reinterpret a <code>&amp;[*const u8]</code> as a <code>&amp;[usize]</code>, for instance <span aria-label="grimacing" class="emoji emoji-1f62c" role="img" title="grimacing">:grimacing:</span></p>



<a name="228581544"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228581544" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228581544">(Mar 03 2021 at 12:17)</a>:</h4>
<blockquote>
<p>I'm not totally clear on if/how pointer casting differs from transmutation. I think of these functions as being equivalent:</p>
</blockquote>
<p>Yes, transmute-via-ptr-cast, transmute-via-union, and transmute-via-<code>mem::transmute</code> are all equivalent. Or at least, I am taking that as a design constraint for the models I am considering. Of course it is conceivable to make them different, if we really want to.</p>



<a name="228581760"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228581760" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228581760">(Mar 03 2021 at 12:20)</a>:</h4>
<p><span class="user-mention silent" data-user-id="219211">Jack Wrenn</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/228487925">said</a>:</p>
<blockquote>
<p><span class="user-mention silent" data-user-id="120791">RalfJ</span>, I'm trying to page this back in so I can scope out what the implementation might have to handle.</p>
<p>The impression I get is that both:</p>
<ul>
<li>transmutations from pointers to integers</li>
<li>transmutations from integers to pointers</li>
</ul>
<p>are unsound. Is that correct?</p>
</blockquote>
<p>well... it's complicated.^^ The one thing I can say for sure is that <code>transmute::&lt;*const T, usize&gt;</code> is <em>not the same</em> as <code>as usize</code>, and likewise for the other direction.</p>



<a name="228581890"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228581890" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228581890">(Mar 03 2021 at 12:21)</a>:</h4>
<p>This is because a ptr-to-int cast is not a NOP; see <a href="https://www.ralfj.de/blog/2020/12/14/provenance.html">this blog post</a> for why making it a NOP is not possible (assuming that we dont want to sacrifice a bunch of common optimizations)</p>



<a name="228582043"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228582043" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228582043">(Mar 03 2021 at 12:22)</a>:</h4>
<p>OTOH, <code>transmute</code> must be a NOP to ensure its equivalence to ptr casts / union field accesses.</p>



<a name="228582257"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228582257" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228582257">(Mar 03 2021 at 12:24)</a>:</h4>
<p>And that's where we hit the edge of the map... beyond this, all we have are some signposts for what consequences it has to make one choice or another. in particular, if we allow transmuting ptrs to ints and back and we say this returns the original ptr, then the first optimization in the blog post counterexample becomes invalid: integer equality is no longer strong enough to justify substituting one variable by another.</p>



<a name="228582367"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228582367" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228582367">(Mar 03 2021 at 12:25)</a>:</h4>
<p>Ergo, if we want to keep that optimization, and if we want to keep transmute a NOP, then either the ptr-to-int transmute or the int-to-ptr transmute has to give. I dont actually know a consistent model where it's the int-to-ptr transmute that gives. I know how to build a consistent model where ptr-to-int transmutes are UB (basically, a ptr becomes an "invalid value" for integer types).</p>



<a name="228584346"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228584346" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228584346">(Mar 03 2021 at 12:42)</a>:</h4>
<p>Is it safe to have an <code>Assume</code> for ignoring provenance mismatch, or is the result impossible to use without UB? Certainly there is a lot of current code out there that transmutes <code>&amp;[*const u8]</code> to <code>&amp;[usize]</code> and such, and I think miri isn't currently giving any errors on this kind of thing</p>



<a name="228584594"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228584594" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228584594">(Mar 03 2021 at 12:44)</a>:</h4>
<p><span class="user-mention" data-user-id="232018">@Daniel Henry-Mantilla</span> I think your <code>MayCarryProvenance</code> is insufficiently precise, since presumably both <code>(*const u8, usize)</code> and <code>(usize, *const u8)</code> have <code>MayCarryProvenance&lt;DoesIt = true&gt;</code> but transmuting between them is likely to have provenance issues</p>



<a name="228632790"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228632790" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228632790">(Mar 03 2021 at 17:32)</a>:</h4>
<p>Do we have a conception of how important those optimizations are? How much do we lose if we say that you can't do that kind of substitution on the basis of integer equality?</p>



<a name="228632877"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228632877" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228632877">(Mar 03 2021 at 17:33)</a>:</h4>
<p>^ <span class="user-mention" data-user-id="120791">@RalfJ</span></p>



<a name="228633160"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228633160" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228633160">(Mar 03 2021 at 17:34)</a>:</h4>
<p>Also, when you talk about keeping transmute a no-op, do you mean in machine code or in intermediate representations? I think it's perfectly fine if transmute involves some additional operations in intermediate representations, as long as those operations disappear by the time we reach machine code.</p>



<a name="228633719"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228633719" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228633719">(Mar 03 2021 at 17:38)</a>:</h4>
<p><span class="user-mention silent" data-user-id="239881">Josh Triplett</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/228632790">said</a>:</p>
<blockquote>
<p>Do we have a conception of how important those optimizations are? How much do we lose if we say that you can't do that kind of substitution on the basis of integer equality?</p>
</blockquote>
<p>I'm afraid I have no idea. I just know that this is baked deep into LLVM's GVN pass.</p>



<a name="228633874"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228633874" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228633874">(Mar 03 2021 at 17:39)</a>:</h4>
<p><span class="user-mention silent" data-user-id="271719">Mario Carneiro</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/228584346">said</a>:</p>
<blockquote>
<p>Is it safe to have an <code>Assume</code> for ignoring provenance mismatch,</p>
</blockquote>
<p>I don't know what that means.</p>
<p>Indeed Miri currently doesn't error on this because there is no clear semantics and probably enough code violating this to make Miri really hard to use.^^</p>



<a name="228634031"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228634031" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228634031">(Mar 03 2021 at 17:40)</a>:</h4>
<p><span class="user-mention silent" data-user-id="239881">Josh Triplett</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/228633160">said</a>:</p>
<blockquote>
<p>Also, when you talk about keeping transmute a no-op, do you mean in machine code or in intermediate representations? I think it's perfectly fine if transmute involves some additional operations in intermediate representations, as long as those operations disappear by the time we reach machine code.</p>
</blockquote>
<p>I mean in intemediate representations. However, even if we say that <code>transmute</code> does something in MIR, I still see no way to make transmute-through-raw-ptr do the same.</p>



<a name="228634202"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228634202" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228634202">(Mar 03 2021 at 17:41)</a>:</h4>
<p><span class="user-mention silent" data-user-id="239881">Josh Triplett</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/228632790">said</a>:</p>
<blockquote>
<p>Do we have a conception of how important those optimizations are? How much do we lose if we say that you can't do that kind of substitution on the basis of integer equality?</p>
</blockquote>
<p>I should also mention that substitution based on equality is just the most obvious optimization that is invalidated. There are more. Achieving both associativity and commutativity of <code>+</code> and <code>*</code> is tricky but (I think) possible; <em>also</em> achieving <code>x * 0</code> to be the same as <code>0</code> is not possible I think.</p>



<a name="228642167"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228642167" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228642167">(Mar 03 2021 at 18:27)</a>:</h4>
<p><span class="user-mention silent" data-user-id="120791">RalfJ</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/228633719">said</a>:</p>
<blockquote>
<p><span class="user-mention silent" data-user-id="239881">Josh Triplett</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/228632790">said</a>:</p>
<blockquote>
<p>Do we have a conception of how important those optimizations are? How much do we lose if we say that you can't do that kind of substitution on the basis of integer equality?</p>
</blockquote>
<p>I'm afraid I have no idea. I just know that this is baked deep into LLVM's GVN pass.</p>
</blockquote>
<p>So, it's less "there are optimizations we can't afford to lose", and more "LLVM requires that assumption"? Because that seems like a different argument.</p>



<a name="228644322"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228644322" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228644322">(Mar 03 2021 at 18:40)</a>:</h4>
<p><span class="user-mention silent" data-user-id="120791">RalfJ</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/228634202">said</a>:</p>
<blockquote>
<p><span class="user-mention silent" data-user-id="239881">Josh Triplett</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/228632790">said</a>:</p>
<blockquote>
<p>Do we have a conception of how important those optimizations are? How much do we lose if we say that you can't do that kind of substitution on the basis of integer equality?</p>
</blockquote>
<p>I should also mention that substitution based on equality is just the most obvious optimization that is invalidated. There are more. Achieving both associativity and commutativity of <code>+</code> and <code>*</code> is tricky but (I think) possible; <em>also</em> achieving <code>x * 0</code> to be the same as <code>0</code> is not possible I think.</p>
</blockquote>
<p>How might <code>x * 0</code> come up in the context of provenance? I would think (perhaps incorrectly) that NULL pointers wouldn't have provenance.</p>



<a name="228646291"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228646291" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nagisa <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228646291">(Mar 03 2021 at 18:53)</a>:</h4>
<p>null pointers are assumed to not point at any object in particular, yeah.</p>



<a name="228646442"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228646442" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> nagisa <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228646442">(Mar 03 2021 at 18:54)</a>:</h4>
<p>There was a recent miscompile related to LLVM simplifying some ptr computations to a <code>null</code> and losing original pointer's provenance in the process.</p>



<a name="228712538"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228712538" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228712538">(Mar 04 2021 at 03:58)</a>:</h4>
<p><span class="user-mention silent" data-user-id="120791">RalfJ</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/228633874">said</a>:</p>
<blockquote>
<p><span class="user-mention silent" data-user-id="271719">Mario Carneiro</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/228584346">said</a>:</p>
<blockquote>
<p>Is it safe to have an <code>Assume</code> for ignoring provenance mismatch,</p>
</blockquote>
<p>I don't know what that means.</p>
</blockquote>
<p>While I still don't know exactly what the semantics around all this pointer provenance stuff should be, I think there is a clear actionable option for the safe-transmute MCP, which is to introduce an <code>Assume::PROVENANCE</code> option. If that is disabled, then transmuting references to pointers to usize in any combination is disallowed, and if it is enabled then it is allowed; since allowing any <code>Assume</code> requires an unsafe block we don't have to sweat too much over the actual soundness of this (although we should probably have clear rules for folks by the time the RFC lands).</p>



<a name="228712737"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228712737" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228712737">(Mar 04 2021 at 04:00)</a>:</h4>
<p>If we decide later that some pointer-int transmutes are okay in safe code, then we can tweak the check in the <code>Assume.provenance = false</code> case to allow these transmutes while denying any transmutes that we either know are unsafe or aren't sure about.</p>



<a name="228713355"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228713355" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228713355">(Mar 04 2021 at 04:09)</a>:</h4>
<p><span class="user-mention silent" data-user-id="239881">Josh Triplett</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/228644322">said</a>:</p>
<blockquote>
<p>How might <code>x * 0</code> come up in the context of provenance? I would think (perhaps incorrectly) that NULL pointers wouldn't have provenance.</p>
</blockquote>
<p>The difference between <code>as</code> casting a pointer to a usize and transmuting is that transmuting does <em>nothing</em> to the abstract data; it essentially can't because it has to recursively track through a bunch of things, some of which aren't safe to access (like data behind a pointer). That means that transmuting a pointer with provenance to an integer results in an integer with provenance. (It's currently unclear whether <code>*const T as usize</code> also results in an integer with provenance, but transmute definitely produces integers with provenance, assuming <code>*const T</code> has provenance.) Once you have an integer with provenance, you have to worry about how all the algebraic operations on integers act on provenance, hence the concern about <code>x * 0</code>.</p>
<p>As long as you use pointer operations to do pointer arithmetic, I think there isn't too much trouble with pointer provenance because they all have well defined rules on provenance. It's only when you move to integer land and start taking gcd's of pointers and such that it's not clear what's supposed to happen.</p>



<a name="228732796"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228732796" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228732796">(Mar 04 2021 at 08:18)</a>:</h4>
<blockquote>
<p>So, it's less "there are optimizations we can't afford to lose", and more "LLVM requires that assumption"? Because that seems like a different argument.</p>
</blockquote>
<p>LLVM and every other production compiler I am aware of. I view that as strong evidence that nobody is willing to lose those optimizations. But (as with most UB-enabled optimizations) sadly there is little quantitative data on how much performance one would leave on the table.</p>



<a name="228732860"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228732860" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228732860">(Mar 04 2021 at 08:18)</a>:</h4>
<blockquote>
<p>How might x * 0 come up in the context of provenance? I would think (perhaps incorrectly) that NULL pointers wouldn't have provenance.</p>
</blockquote>
<p><code>x</code> is an integer here. If we can transmute ptrs to ints, then ints can carry provenance. The issue is that <code>x*0</code> would be "derived from <code>x</code>" (have provenance of <code>x</code>), but <code>0</code> would certainly not. Thus replacing <code>x*0</code> by <code>0</code> is wrong.</p>



<a name="228732875"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228732875" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228732875">(Mar 04 2021 at 08:19)</a>:</h4>
<p><span class="user-mention" data-user-id="239881">@Josh Triplett</span> ^</p>



<a name="228733014"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228733014" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228733014">(Mar 04 2021 at 08:20)</a>:</h4>
<p><span class="user-mention silent" data-user-id="271719">Mario Carneiro</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/228712538">said</a>:</p>
<blockquote>
<p>While I still don't know exactly what the semantics around all this pointer provenance stuff should be, I think there is a clear actionable option for the safe-transmute MCP, which is to introduce an <code>Assume::PROVENANCE</code> option. If that is disabled, then transmuting references to pointers to usize in any combination is disallowed, and if it is enabled then it is allowed; since allowing any <code>Assume</code> requires an unsafe block we don't have to sweat too much over the actual soundness of this (although we should probably have clear rules for folks by the time the RFC lands).</p>
</blockquote>
<p>Oh, you dont mean the LLVM intrinsic <code>assume</code>, you meant something thats part of the safe-transmute infrastructure.^^ sorry, I didnt get that.</p>



<a name="228733486"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228733486" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228733486">(Mar 04 2021 at 08:23)</a>:</h4>
<blockquote>
<p>It's only when you move to integer land and start taking gcd's of pointers and such that it's not clear what's supposed to happen.</p>
</blockquote>
<p>Well, there is a pretty intuitive semantics if one can have a notion of "union of provenances" (basically, "this value is derived from those N ptrs"). Stacked Borrows doesnt have such a notion but it is at least conceivable. Then the result of an integer operation can have as provenance the union of the inputs. This is associative and commutative, I think even distribution of <code>+</code> and <code>*</code> holds. However, everything that "removes dependencies" breaks, such as <code>x * 0</code> becoming <code>0</code> (and integer substitution also breaks of course).</p>



<a name="228735989"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228735989" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228735989">(Mar 04 2021 at 08:45)</a>:</h4>
<p><span class="user-mention" data-user-id="120791">@RalfJ</span> 0 wouldn't have provenance, but it's a null pointer, so I wouldn't think changing x * 0 to 0 would matter in practice.</p>



<a name="228736098"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228736098" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Josh Triplett <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228736098">(Mar 04 2021 at 08:46)</a>:</h4>
<p>It's not clear how you could get from x * 0 to something you can dereference without adding in the correct provenance along the way.</p>



<a name="228737406"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228737406" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228737406">(Mar 04 2021 at 09:00)</a>:</h4>
<p><span class="user-mention silent" data-user-id="239881">Josh Triplett</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/228736098">said</a>:</p>
<blockquote>
<p>It's not clear how you could get from x * 0 to something you can dereference without adding in the correct provenance along the way.</p>
</blockquote>
<p>you could have the right offset somewhere as an actual provenance-free integer</p>



<a name="228737461"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228737461" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228737461">(Mar 04 2021 at 09:00)</a>:</h4>
<p>LLVM fixed exactly such a bug recently</p>



<a name="228737557"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/228737557" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#228737557">(Mar 04 2021 at 09:01)</a>:</h4>
<p><a href="https://bugs.llvm.org/show_bug.cgi?id=48577">https://bugs.llvm.org/show_bug.cgi?id=48577</a><br>
<a href="https://github.com/rust-lang/rust/issues/80309">https://github.com/rust-lang/rust/issues/80309</a></p>



<a name="241812464"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/216762-project-safe-transmute/topic/Transmuting%20betwen%20references%20/%20raw%20pointers%20/%20integers/near/241812464" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> RalfJ <a href="https://rust-lang.github.io/zulip_archive/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers.html#241812464">(Jun 07 2021 at 17:34)</a>:</h4>
<p><span class="user-mention silent" data-user-id="120791">RalfJ</span> <a href="#narrow/stream/216762-project-safe-transmute/topic/Transmuting.20betwen.20references.20.2F.20raw.20pointers.20.2F.20integers/near/213661854">said</a>:</p>
<blockquote>
<p>Will safe-transmute as proposed allow safe code to transmute between references, raw pointers/function pointers, and other non-pointer types? I think we have to tread very carefully here...<br>
<a href="https://github.com/rust-lang/unsafe-code-guidelines/issues/251#issuecomment-710783381">See this discussion</a> for some background, and ctrl-F for "type punning" in <a href="https://people.mpi-sws.org/~jung/twinsem/twinsem.pdf">this paper</a> for all of the details. The upshot is that transmuting (not casting) pointers to integers might be UB, or at least that is sadly the best proposal we have so far for a semantics that actually allows all the optimizations that compilers already perform.</p>
</blockquote>
<p>I have now more properly written up the issue with ptr-to-int transmutes: <a href="https://github.com/rust-lang/unsafe-code-guidelines/issues/286">https://github.com/rust-lang/unsafe-code-guidelines/issues/286</a></p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>